By Kevin Cardwell and Craig Wright
Service provider takeaway: iPods act as an excellent alternate data storage option. Learn how to conduct forensic analysis on the data hidden within the device in this section of the chapter excerpt from Syngress Publishing's Alternate Data Storage Forensics.
Download the .pdf of the chapter here.
Apple Inc. produces three separate digital media players all bearing the iPod brand. Whether the original iPod, the iPod Nano or an iPod shuffle, all of these devices have the capability not only to play music but also to act as a storage device. The capability to store digital data coupled with the iPods popularity will result in the forensic analysis of these devices becoming more common. Consequently, ,the National Institute of Standards and Technology (NIST) have developed guidelines for PDA forensics (Jansen & Ayers, 2004) to address this issue. The secret is to treat the iPod as you would treat any other suspect hard drive being analyzed. Treat it with the respect and car it deserves and remember it is evidence.
The Apple iPod family currently comprises five generations of devices for the primary units and two generations of ancillary models. These are listed below.
• First Generation iPod October 2001 saw the first release of the Apple iPod.
This device connected using a FireWire jack and introduced the Apple physical scroll wheel. This device used the original form factor and is the classic iPod design.
• Second Generation iPod Implemented the large hard drive (10 Gb and 20 Gb), introduced the touch sensitive wheel and put a cover on the FireWire port but was otherwise physically the same as the first generation iPod.
• Third Generation iPod The third generation introduced a central row of touch sensitive buttons and a dock connector port. The primary connection was still FireWire but USB was introduced for data syncing.
• Fourth Generation iPod The fourth generation of the iPod introduced the photo viewer. The color the display was introduced at this stage. Either
FireWire or USB could be used.
• Third Generation iPod The next generation introduced a video function and lyrics support. This version has no AC adapter universal block or A/V included and must be purchased separately. The latest edition (generation 5.5) features a brighter display, the ability to search and the longer video battery. Fifth generation iPods use only USB with FireWire connections relegated to charging only.
The ancillary iPods include the following models:
• iPod mini The iPod mini is a slimmer version of its original cousin. These devices use either USB or FireWire connections using either a 4 or 6 GB hard drive. This device implements a scroll wheel with integrated buttons. There are two generations o£ iPod minis, iPod mini connections are made using either USB or FireWire.
• iPod Nano The iPod nano implements a flash memory storage system. These devices are otherwise similar to the fifth generation iPod in many respects. The iPod nano uses USB connections with FireWire for charging only.
• iPod shuffle Again there are two generations with the iPod shuffle. All these devices implement flash memory instead of hard drive storage. The iPod shuffle uses USB connections and the later models implement USB through the docking function alone.
The iPod supports a variety of file formats including Protected AAC, AIFE MP3,
WAV, M4A/AAC LC and Apple Lossless audio file formats. From the introduction of the fifth-generation iPod a number of video formats are also supported. These include the .m4v and .mp4 MPEG-4 (H.264/MPEG-4 AVC) file formats. Additionally, iTunes has the capability to translate Windows WMA formatted files to an iPod format as long as they are not copy protected.
The iPod is not currently able to play copy protected WMA files. Additionally, the iPod is unable to play MIDI, Ogg Vorbis and FLAC multimedia formats. It is however possible to translate MIDI files to another format using iTunes, iTunes will not transfer songs from the iPod to a computer because of perceived Copyright and other legal issues. A number of third-party products have been created to circumvent the iPod's copy protection.
Current iPod's have the inclusion of a limited PDA functionality. Macintosh users have been altered synchronize schedules and contacts in their address book and iCal using iSync. From the release of iTunes version 5.0, Apple has integrated the ability to synchronize contacts and schedules from iTunes to the iPod. Contact maintained in either Microsoft Outlook or Outlook express may be synchronize with the iPod in this manner. Mozilla calendar files use the same format as the iPod. So although there is no automated method to synchronize Mozilla data, these files may be copied to the iPod manually.
In with this functionality however, the inability to add or update entries on the iPod itself limits the functionality of the iPod as a PDA. From a forensic perspective, this does not diminish the ability to capture data (including calendar entries and schedules) from the device.
Drive Formats- Apple HFS+ Or FAT32
The drive format used by the iPod hard drive is dependent on the computer system to which the iPod is initially synchronized. If the iPod is initially synchronized with a Mac machine, the iPod will be formatted using the Apple HFS+ file system. Where the iPod is initially connected to a Windows host, the iPod drive will be formatted with the FAT32 file system.
When conducting a forensic analysis of the iPod is important to know which type of system the iPod has been synchronized with. This information also provides the analyst with some background information as to the use and history of the device. Knowledge of the format used will generally make it easier to match the iPod device to the host and has been synchronizing with. It is important to remember that just because the output has initially synchronized with either a Windows or Mac host, but it may also have been used on other machines.
The iPod writes data from the beginning to the end of the drive before returning to the beginning. This is a valuable feature for the forensic analyst as the use of this wear-levelling technique makes the overwriting of files less likely. Being that the FAT32 file system does not maintain records of file ownership, the HFS+ file system (which maintains ownership metadata) is the preferred format from a forensic perspective. Unfortunately, the HFS+ file system is somewhat less common than the FAT32 file system.
The iPod System Partition
The System Partitions of either the Windows or Macintosh format iPod demonstrate that there is no user identifiable data stored in this partition. The data contained in this partition is associated with the running of iPod and includes:
• The iPod embedded Operating System.
• The images used during the operation of the device such as the Apple logo and the "Do Not Disconnect" screen image.
• The system fonts used for the display of the text on the device.
• Games and other applications copied to the device
Where iPodLinux has been installed user data may exist in the system partition. Installing iPodLinux will change the hash value for the System Partition. This is because iPodLinux modifies the boot loader in the System Partition. The boot loader allows the iPod user to select either the official Apple embedded operating system or the iPodLinux operating system. The system files for iPodLinux are maintained in the iPod Data Partition. However, the changes to the boot loader require the System Partition to be modified changing the hash value of the system partition.Application Formats
Music and other file formats are stored on a variety of locations within the iPod. Accessories exist little alley iPod to be used for a variety of functions. Applications and accessories may be loaded using either the native iPod operating system or iPodLinux. These applications allow for the storage of a variety of files including voice recordings, digital camera photo storage and electronic games.
These files can be easily found by searching the drive for the text strings BEGIN:VCARD and BEGIN:VCALENDAR. This entry indicates the beginning of the respected file types. The data remains after the entries are deleted.
Misuse of an iPod
Like any other digital storage device, the iPod may hold incriminating evidence. In its native format the iPod may contain calendar entries related to a crime or other event of interest. Additionally, contact information stored on the device may be relevant to an investigation. The iPod is also capable of creating voice recordings. As such, recordings of meetings may be recovered. Coupled with photographs or other substantiation the iPod could be a rich source of evidence to the investigator. With its large hard drive, the iPod is the ideal storage location for music that violates Copyright, and with the newer devices pornographic pictures.
PDA, BlackBerry and iPod Forensic Analysis
PDA Investigative Tips
Introduction to the BlackBerry
The iPod and Linux
About the book
Alternate Data Storage Forensics explores forensic investigative analysis methods when dealing with alternate storage options. The book presents cutting-edge investigative methods from cyber-sleuths professionals. Purchase the book from Syngress Publishing.
Reprinted with permission from Syngress Publishing from Alternate Data Storage Forensics by Amber Schroader and Tyler Cohen (Syngress, 2007)
This was first published in July 2008